Agenda

2018 Agenda Coming Soon!!

2017 Agenda and Topics

The forum will be organized around modules that each provide in-depth topical study, and will bring together a diverse set of legal scholars and practitioners, technology experts, business leaders, and policymakers in a conversation about how to work together to meet the most pressing challenges.

Thursday, March 30

Friday, March 31: Mapping the Divide

9:00 a.m. - 10:00 a.m. – The Technical Threat Landscape

ERIC STRIDE, Senior Vice President, root9B

What does the cyber threat landscape look like today? Where are threats coming from? What are the motivations of the actors behind these threats? How do the varying motivations affect the nature of the threats and the available responses?

Careful use of strong encryption is our best defense against theft of data and unwanted surveillance. Despite the banality of that observation, many organizations and individuals that are responsible for valuable data don't use encryption or use it incorrectly. Moreover, there are common information-security problems that encryption cannot solve. Feigenbaum will review both the power of encryption to protect digital resources and the limits of that power. She will then turn to the questions of why encryption is not used more often and more effectively and what Cyber Forum participants can do to improve the situation.

ZHONG SHAO, Professor of Computer Science, Yale University; Leader of the CertiKOS team

The construction of secure and functionally correct systems software has been one of the grand challenges of computing since at least the mid-20th century. Recent advances made by the CertiKOS team at Yale demonstrate that it is indeed feasible and practical to build certifiably hacker-resistant operating systems that additionally provide evidence - through machine-checkable mathematical proofs - that the operating systems are free of any loopholes.

Today more than ever, both law enforcement and the private sector are grappling with the question of what is the most effective mode of deterrence regarding cybercrime and what is the most effective use of resources. Is it better to systematically and persistently disable infrastructure quickly and at scale, even if the cybercrime “kingpin” is never identified? Is it better to invest six years and millions of dollars to identify, prosecute and convict a handful of the most high level players, even if the crimes continue during that period? This discussion explores options for enforcement, pros and cons, and potential strategies and tradeoffs in the borderless world of cybercrime.

Moderated by EDWARD WITTENSTEIN, Executive Director, Johnson Center for the Study of American Diplomacy, Yale University

In December 2016, the Commission on Enhancing National Cybersecurity delivered its final report to the President, offering a series of recommendations to strengthen and streamline the federal government’s cybersecurity efforts over the short-, medium-, and long-term. This lunch conversation will provide a first-hand account of the Commission’s 10-month investigation, and the perspectives offered by senior cybersecurity experts across government, academia, and the private sector. How did the Commission arrive at its findings and what are the prospects for implementation going forward?

VIVEK MOHAN, Global Privacy Law and Policy, Apple Inc.MEGAN STIFEL, Founder, Silicon Harbor Consultants; former Director for International Security Policy, National Security Council

Moderated by OONA HATHAWAY

A vast range of legal and business considerations render incident response a task that cannot solely be handled by information security personnel. In responding to information security incidents, companies need manage regulatory risk, government/law enforcement cooperation, privilege issues, international considerations, notification obligations, and more --- all while dealing with timely imperatives to actually mitigate and investigate the incident. The totality of considerations applicable to the company must be understood well before an incident occurs to ensure incident response plans are usable and effectively manage risk.

Breakout groups will lead participants, who will be drawn from different sectors, in a discussion of what they see as the central challenges to overcoming the divide between law, technology, and business on cyber? They will also begin to brainstorm strategies for overcoming the divide.

How should private sector institutions value cyber risk?

What should be the regulatory framework for IoT regulation?

What should be the guiding framework for legal/policy/business practice principles for when government or corporate cyber self-defense is justified?

ADAM SEGAL, Ira A. Lipman Chair in Emerging Technologies and National Security, and Director of the Digital and Cyberspace Policy Program, The Council on Foreign Relations

These require our focused attention: the likelihood that a US-China cyber deal would hold; the depth of the split between Washington DC and Silicon Valley; and the willingness of Russia to use info ops against the US.

The world of cyber remains a world of uncertainty. There is uncertainty about the nature of current, much less future, threats. There is uncertainty about the current and future legal landscape. And there is, as a result, deep uncertainty about the roles and responsibilities of businesses. How should businesses respond to these uncertainties? This panel will consider how businesses can manage the threat landscape in a world of uncertainty. The conversation will address (1) long-term risk management through investments; (2) mid-term risk management through programming; and (3) short-term crisis management when an attack is underway—who to call and what steps to take to minimize harm.

We will present the results from the first day of discussion, including small group conversations—what challenges have participants faced and what strategies have they used to overcome the challenges? How could the regulatory landscape better bridge the divide? What should the regulatory ecosystem for cyber look like as we move forward? How should responsibility be allocated between private actors and government regulators? Where should government step in and when should it instead step back? Is there a special role, for example, when it comes to critical infrastructure? (And, if so, what, exactly, is critical infrastructure?) This conversation will form the basis for a post-conference report regarding the possible roles and responsibilities of various stakeholders in the cyber-security arena.

The U.S. Senate has been actively engaged in ensuring effective oversight of government cyber strategy and policy. The Senate Armed Services Committee in particular has held a number of high-profile open hearings in recent months to consider foreign cyber threats and the challenges associated with crafting effective legislative responses. Looking ahead, this closing conversation will explore the Congress’ upcoming cyber agenda for the next year.